diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml index c32a4c52..492a9f2c 100644 --- a/.github/workflows/python.yml +++ b/.github/workflows/python.yml @@ -33,18 +33,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -59,18 +59,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -85,18 +85,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -111,18 +111,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -149,18 +149,18 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -201,14 +201,14 @@ jobs: git config --global core.eol lf - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Create reports directory run: mkdir ${{ env.REPORTS_DIR }} - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} architecture: 'x64' @@ -218,8 +218,8 @@ jobs: import sys print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -238,7 +238,7 @@ jobs: - name: Artifact reports if: ${{ ! cancelled() }} # see https://github.com/actions/upload-artifact - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: ${{ env.TESTS_REPORTS_ARTIFACT }}-${{ matrix.os }}-py${{ matrix.python-version }}${{ matrix.toxenv-factors }} path: ${{ env.REPORTS_DIR }} @@ -252,7 +252,7 @@ jobs: steps: - name: fetch test artifacts # see https://github.com/actions/download-artifact - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: path: ${{ env.REPORTS_DIR }} pattern: ${{ env.TESTS_REPORTS_ARTIFACT }}-* @@ -262,7 +262,7 @@ jobs: CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} if: ${{ env.CODACY_PROJECT_TOKEN != '' }} ## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets # see https://github.com/codacy/codacy-coverage-reporter-action - uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1 + uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1.3.0 with: project-token: ${{ env.CODACY_PROJECT_TOKEN }} coverage-reports: ${{ env.REPORTS_DIR }}/coverage/* @@ -281,12 +281,12 @@ jobs: steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '>=3.9 <=3.14' # supported version range - name: Validate Python Environment @@ -295,8 +295,8 @@ jobs: import sys print('Python %s on %s in %s' % (sys.version, sys.platform, sys.getdefaultencoding())) - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install package and prod dependencies diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9fc60639..9736fc59 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,18 +48,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -72,18 +72,18 @@ jobs: steps: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Setup Python Environment # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install poetry - # see https://github.com/marketplace/actions/setup-poetry - uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 + # see https://github.com/Gr1N/setup-poetry + uses: Gr1N/setup-poetry@48b0f77c8c1b1b19cb962f0f00dff7b4be8f81ec # v9 with: poetry-version: ${{ env.POETRY_VERSION }} - name: Install dependencies @@ -110,7 +110,7 @@ jobs: - name: Generate GitHub App Token id: release-bot-token # see https://github.com/actions/create-github-app-token - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3 + uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 with: # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases client-id: 3335294 @@ -126,7 +126,7 @@ jobs: - name: Checkout code # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 token: ${{ steps.release-bot-token.outputs.token }} @@ -134,13 +134,13 @@ jobs: - name: Setup python # see https://github.com/actions/setup-python - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ env.PYTHON_VERSION_DEFAULT }} architecture: 'x64' - name: Install and configure Poetry - # See https://github.com/marketplace/actions/install-poetry-action - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1 + # Seehttps://github.com/snok/install-poetry + uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1 with: version: ${{ env.POETRY_VERSION }} virtualenvs-create: true @@ -155,7 +155,7 @@ jobs: id: release # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html # see https://github.com/python-semantic-release/python-semantic-release - uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 + uses: python-semantic-release/python-semantic-release@1a324000f2251a9e722e77b128bf72712653813f # v10.0.2 with: git_committer_name: ${{ steps.release-bot-token.outputs.app-slug }}[bot] git_committer_email: ${{ steps.release-bot-user-id.outputs.user-id }}+${{ steps.release-bot-token.outputs.app-slug }}[bot]@users.noreply.github.com @@ -167,14 +167,14 @@ jobs: - name: Publish package distributions to PyPI if: steps.release.outputs.released == 'true' # see https://github.com/pypa/gh-action-pypi-publish - uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0 with: attestations: true - name: Publish package distributions to GitHub Releases if: steps.release.outputs.released == 'true' # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html#python-semantic-release-publish-action - uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10 + uses: python-semantic-release/publish-action@310a9983a0ae878b29f3aac778d7c77c1db27378 # v10.5.3 with: github_token: ${{ steps.release-bot-token.outputs.token }} tag: ${{ steps.release.outputs.tag }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 32589888..7439413c 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -1,39 +1,38 @@ # Analyzes all GitHub Actions workflows for security issues using zizmor. # docs: https://docs.zizmor.sh/ -name: Workflow Security Analysis (zizmor) +name: Zizmor on: - pull_request: - paths: - - ".github/workflows/**" push: - paths: - - ".github/workflows/**" + branches: ['master', 'main'] + pull_request: + branches: ['**'] + workflow_dispatch: schedule: - # Every Saturday at 00:00 UTC - - cron: "0 0 * * 6" + - cron: '0 0 * * 6' + +permissions: {} concurrency: - group: ${{ github.workflow }}-${{ github.ref }} + group: '${{ github.workflow }}-${{ github.ref }}' cancel-in-progress: true -permissions: - contents: read - jobs: zizmor: - name: zizmor + name: Zizmor runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read steps: - name: Checkout # see https://github.com/actions/checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - name: Run zizmor + - name: Run zizmor 🌈 # see https://github.com/zizmorcore/zizmor-action - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab.